We've been working with PyPI to help integrate Sigstore, which makes signing (and verification) easier!

sigstore.dev

I'll have to check out sigstore.

Anything that makes signing/verifying easier is a welcome change.

What, exactly, is hard about signing?

We used to say that about https, and now we got letsencrypt.

LE made SSL/TLS easy, we need something similar for sign/verify of packages/software.

Another commenter mentioned sigstore.dev which looks potentially interesting.